Articles I've written

Top 10 coffee brands according to Have I Been Pwned

Top 10 coffee brands based on how much their names are used as passwords. Look, not every password research has to be meaningful.

(read more…)

Slovak websites in the “Collection #1” password database and friends
January 23, 2019

Yesterday I checked Czech websites in “Collection #1” and others (like “Collection #2” to “Collection #5”, “BigDB”), today I've checked Slovak sites. We're neighboring countries and historically have a lot in common, many Czech users have accounts on Slovak sites as well, so it seemed like a good idea.

(read more…)

Czech websites in the “Collection #1” password database and friends
January 22, 2019

Last week was all about the 773 million records data breach, nicknamed “Collection #1”. It's a few years old compilation of previous data leaks but it's still interesting to check which Czech websites (and Slovak, too) are present in this and other databases (like “Collection #2” to “Collection #5”, “BigDB”).

(read more…)

Account takeover in regional transportation system Lítačka

Just a few weeks ago, a new regional transportation system called Lítačka (a slang word for prepaid municipal transportation ticket used in some parts of the Czech Republic) was put into operation in Prague and the Central Bohemian Region. The system allows passengers to buy tickets in a mobile application, passengers can also pair their tickets with their payment cards so the validity of the prepaid ticket can later be checked by waving the card near random card readers in transportation vehicles. You could also steal a password reset link right from the unsuspecting user's browser.

(read more…)

Cracking passwords from the dump
January 2, 2018

You don't crack passwords using rainbow tables or brute-force attacks anymore. So this probably wasn't a plaintext leak, somebody have cracked 750k passwords and uploaded them online. I've tried cracking them too.

(read more…)

Upgrading existing password hashes
September 5, 2017 (updated March 20, 2024)

Still using MD5 or SHA-1 to store user passwords and want to gracefully migrate to e.g. bcrypt? Want to do it properly to protect all passwords in the database? Here's how.

(read more…)

All articles